[CVE-2026-24400] Bump assertj-core from 3.9.1 to 3.27.7

[dai-chen]

Description

Summary

Bumps org.assertj:assertj-core from 3.9.1 to 3.27.7 in the common module to resolve CVE-2026-24400. The original fix was merged to main in #5100, but the automated backport to 2.19-dev failed.

Testing

Verified assertj-core only appears in :common module across the entire project:

for module in $(./gradlew projects 2>/dev/null | grep "Project '" | sed "s/.*Project '\\(.*\\)'/\\1/"); do
  echo "=== $module ==="
  ./gradlew ${module}:dependencies 2>/dev/null | grep -i assertj
done

=== :async-query ===
=== :async-query-core ===
=== :benchmarks ===
=== :common ===
+--- org.assertj:assertj-core:3.27.7
+--- org.assertj:assertj-core:3.27.7 (n)
+--- org.assertj:assertj-core:3.27.7
=== :core ===
=== :datasources ===
=== :doctest ===
=== :integ-test ===
=== :legacy ===
=== :opensearch ===
=== :opensearch-sql-plugin ===
=== :ppl ===
=== :prometheus ===
=== :protocol ===
=== :spark ===
=== :sql ===

Related Issues

Resolves CVE-2026-24400

Check List

• New functionality includes testing.
• New functionality has been documented.
• New functionality has javadoc added.
• New functionality has a user manual doc added.
• New PPL command checklist all confirmed.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff or -s.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.